1 secure distributed objects for grid applications laurent baduel, arnaud contes, denis caromel...
TRANSCRIPT
1
Secure Distributed Objects for Grid Applications
Laurent Baduel, Arnaud Contes, Denis Caromel
OASIS team http://www.inria.fr/oasis
ProActive http://proactive.objectweb.org
2
2
Outline
Context• ProActive overview
• Abstract Deployment model
Security Model• Security Entities
• Security Policies
• Example
Conclusion
3
3
The ProActive Middleware
A Java API + Tools for Parallel & Distributed Computing
A uniform framework : Active Object (AO) pattern • one thread, owns passive objects, remotely accessible
Programming model : • groups, mobility, components, security
A formal model• Determinism, Insensitivity to deployment
4
4
Deployment Model
Virtual Nodes : • Identified as a string name, used in program source, configured
(mapped) in an XML descriptor file
2 distinct steps :
Development Source Code
Deployment
XML Descriptor Active Objets VN VN Runtimes (JVMs) Hosts
5
5
A ProActive Application
Virtual Node 1
Virtual Node 2
Virtual Node 3
Active objectPassive object
6
6
Multiple Deployment Issues
One Host Cluster Grid
Different Deployments Different Security Policies
7
7
Issues & Goals
Authentication of Computers, Users, and Applications
Creation, connection to, and monitoring of activities
Authentication, Integrity and Confidentiality (AIC) of communications
Several levels of security policies: users, resource providers, administrators
Main objective : Facilitate the use and the management of security features by removing them from the source code
8
8
Outline
Context• ProActive overview
• Abstract Deployment model
Security Model• Security Entities
• Security Policies
• Example
Conclusion
9
9
Security Entity Model
Generic definition, composed of a security manager and a protected object
Subject of security policies
Transparent for the protected object (meta object protocol)
No supposition on the protected object (runtimes, nodes, active objects, …)
Hierarchical structure
10
10
Security Manager:
• Entity ID
• Security Policies
• Session Manager
Negotiation protocol
Security Manager:
• Entity ID
• Security Policies
• Session Manager Normal
communications
Secured communications
Security Entities
ProtectedObject
11
11
Application Authentication
User certificate
Application certificate
Certificate chaincertificates for active objects, nodes
SPKI :
• Certificate chain
• No Certificate Authority
12
12
Hierarchical Security Policies
Dn
Accept Deny
Runtime
Accept Deny
D0
Accept Deny
VN
Accept DenyAO
Accept Deny
Final Security policy
Administrator policy
Application-level policy
Security policy is defined according all matching rules from:
• Domains / Runtime
• Virtual Node
• Active Object
Resource provider policy
13
13
Security Rule
Interactions:• JVMCreation
• NodeCreation
• CodeLoading
• ObjectCreation
• ObjectMigration
• Request
• Reply
• Listing
Entities:
• Domain
• User
• Virtual Node
• Object
Entities -> Entities : Interactions # Security Attributes
Attributes:• Authentication
• Integrity
• Confidentiality
Each attribute can be:• Allowed
• Optional
• Disallowed
14
14
Descriptor Security Model
A key principle:
• Specify security policies in the XML deployment, NOT IN SOURCE CODE !
In program source: • Virtual Node (VN, a string name)
In XML descriptors:• List of policy rules between virtual nodes, runtimes, domains,
…
15
15
Security Example
2 domains GridA & GridB with security policies• Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C]
• Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C]
Application : • 2 Virtual Nodes (vn1,vn2)
• 2 Active objects
16
16
Descriptor with SecurityVirtualNodes: vn1, vn2
SECURITY:
VN [vn1] -> VN [vn2] : Q,P # [?A,?I,?C]
VN [vn1] -> VN [vn2] : M # Forbidden
VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C]
VN [vn2] -> VN [vn1] : M # Forbidden
Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C]
Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C]Mapping:
vn1 --> GridAComputers, GridBComputers
vn2 --> GridAComputers
JVMs:
/…/
17
17
Example: std. code, no security/…/proActiveDescriptor.activateMappings();vn1 = proActiveDescriptor.getVirtualNode("vn1");vn2 = proActiveDescriptor.getVirtualNode("vn2");/…/Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()};Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()};/* next VN1 node inside the same domain */rose.migrateTo(vn1);/* communication inside the same domain */rose.sayHelloTo(daliah);/* next VN1 Node, other domain */rose.migrateTo(vn1);/* communication with another domain */rose.sayHelloTo(daliah);/* other virtual node, forbidden */rose.migrateTo(vn2);
18
18
Example
Domain GridA Domain GridB
VN1VN2
Policy rules database Runtime
19
19
Example
Domain GridA Domain GridB
VN1VN2
Policy rules database
Runtime
20
20
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Runtime
21
21
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Migration : - same VN - same domain
Runtime
Can I migrate to the next VN1 node ?
22
22
Example
Domain GridA Domain GridB
Daliah
VN1VN2
Policy rules database
Migration : - same VN - same domain
Runtime
1 - Retrieve VN policy2 - migration allowed
Rose
23
23
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Migration : - same VN - same domain
Runtime
24
24
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Migration : - same VN - same domain
Runtime
Negotiated Policy:Rose -> Daliah : [?A,?I,?C]
Perform a method callRose -> Daliah : [?A,?I,?C]
Receive a method call : Daliah -> Rose : [?A,?I,?C]
25
25
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2Policy rules
database
Migration : - same VN - same domain
Runtime
26
26
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Migration : - same VN - other domain
Runtime
Can I migrate to the next VN1 node on
GridB domain?
27
27
Example
Domain GridA Domain GridB
Daliah
VN1VN2
Policy rules database
Migration : - same VN - other domain
Rose
Runtime
1- VN1 policy -> none2- GridA -> GridB : [+A,+I,+C] 3- migration with [+A,+I,+C]
28
28
Example
Domain GridA Domain GridB
Rose
Daliah
VN1VN2
Policy rules database
Migration : - same VN - other domain
Runtime
29
29
Example
Domain GridA Domain GridB
Daliah
VN1VN2
Policy rules database
Method call : - other VN - other domainFrom Rose --> Daliah
Rose
Runtime
Negotiated Policy:Rose -> Daliah : [+A,+I,+C]
Perform a method callRose -> Daliah : [+A,+I,+C]
Receive a method call : Daliah -> Rose : [+A,+I,+C]
30
30
Example
Domain GridA Domain GridB
Daliah
VN1VN2
Policy rules database
Migration : - other VN From Rose --> Daliah
Rose
Runtime
Migration to VN2 ?VN1 -> VN2 : [-M]
NO !
31
31
Conclusion
Transparent to application
Take care of a hierarchy of security policies
Security can be adapted to application deployment
32
32
Thank you for your time
Questions ?